lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 24 Sep 2021 20:14:13 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Xin Long <lucien.xin@...il.com>
Cc:     syzbot <syzbot+581aff2ae6b860625116@...kaller.appspotmail.com>,
        davem <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        "linux-sctp @ vger . kernel . org" <linux-sctp@...r.kernel.org>,
        Marcelo Ricardo Leitner <marcelo.leitner@...il.com>,
        network dev <netdev@...r.kernel.org>,
        Neil Horman <nhorman@...driver.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Vlad Yasevich <vyasevich@...il.com>
Subject: Re: [syzbot] general protection fault in sctp_rcv

On Thu, Sep 23, 2021 at 12:34:42PM +0300, Dan Carpenter wrote:
> On Wed, Sep 22, 2021 at 05:18:29PM +0800, Xin Long wrote:
> > On Tue, Sep 21, 2021 at 12:09 PM syzbot
> > <syzbot+581aff2ae6b860625116@...kaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    98dc68f8b0c2 selftests: nci: replace unsigned int with int
> > > git tree:       net
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=11fd443d300000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=c31c0936547df9ea
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=581aff2ae6b860625116
> > > compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+581aff2ae6b860625116@...kaller.appspotmail.com
> > >
> > > general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
> > > KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
> > > CPU: 0 PID: 11205 Comm: kworker/0:12 Not tainted 5.14.0-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Workqueue: ipv6_addrconf addrconf_dad_work
> > > RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
> > by anyway, checking if skb_header_pointer() return NULL is always needed:
> > @@ -702,7 +702,7 @@ static int sctp_rcv_ootb(struct sk_buff *skb)
> >                 ch = skb_header_pointer(skb, offset, sizeof(*ch), &_ch);
> > 
> >                 /* Break out if chunk length is less then minimal. */
> > -               if (ntohs(ch->length) < sizeof(_ch))
> > +               if (!ch || ntohs(ch->length) < sizeof(_ch))
> >                         break;
> > 
> 
> The skb_header_pointer() function is annotated as __must_check but that
> only means you have to use the return value.  These things would be
> better as a Coccinelle or Smatch check.
> 
> I will create a Smatch warning for this.

These are the Smatch warnings for this:

net/sctp/input.c:705 sctp_rcv_ootb() error: skb_header_pointer() returns NULL
net/ipv6/netfilter/ip6t_rt.c:111 rt_mt6() error: skb_header_pointer() returns NULL
net/ipv4/icmp.c:1076 icmp_build_probe() error: skb_header_pointer() returns NULL
net/ipv4/icmp.c:1089 icmp_build_probe() error: skb_header_pointer() returns NULL

regards,
dan carpenter

Powered by blists - more mailing lists